ONC panel seeks input on patient credentialing

An emerging issue as providers and hospitals drive toward making meaningful use of certified EHRs is how the identity of individuals should be verified when they electronically access their health records. The privacy and security panels that advise the Office of the National Coordinator for Health IT (ONC) want to hear from the public about how the verification might work.

The comments will be shared with the federal advisory Health IT Policy and Standards Committees as part of an Oct. 29 online hearing on credentialing patients to ensure that patients "are who they say they are" so they can take advantage of Web tools, according to Deven McGraw, chair of ONC’s Privacy and Security Tiger Team.

To meet the requirements of meaningful use Stage 2, healthcare providers will need to more actively engage patients by enabling them to electronically view, download, and transmit relevant information from their EHRs.

This could include lab test results, a list of current medications and hospital discharge instructions.

Patient engagement also includes bi-directional, secure email with patients.

“We want to make sure we facilitate electronic data access and email in a way that protects the privacy, confidentiality and security of that information,” McGraw said in an Oct. 8 online post. She is also director of health privacy at the Center for Democracy and Technology.

Giving patients access to their health information and offering them tools to electronically communicate with their clinical care team is critical to making healthcare more patient-centered.

The ability to access health information online is quite similar to accessing a bank account online, according to Dixie Baker, chair of the Health IT Standards Committee privacy and security work group. As such, it could be useful to consider the process and information required to get online access to bank accounts.

“I feel comfortable that my bank takes my personal privacy, and the security of my information, very seriously. I would expect no less from my healthcare providers because my health information is at least as sensitive as my financial information,” she said in online comments. Baker is also senior partner at Martin, Blanck, and Associates LLC.

In addition to verifying the identity of a patient who is remotely accessing a health record, the panel, made up of representatives from healthcare, technology, consumer and government organizations, will explore at the upcoming meeting how to issue “digital credentials” without making it too difficult or expensive for patients.

Some patients already may have retrieved their health record online from their physician or hospital. The panel is interested in a description of how that access was granted. For example:

Did you (the patient) have to show up in person at your doctor’s office or were you able to establish the account online?

If you were able to establish the account online, what steps did you have to go through to prove your identity?

Once you established the account, what steps do you have to go through to access it?

Do you believe the process for giving you access to your account will keep your information secure?

Commenters may also recommend other approaches to provide patients with secure online access to their medical information. The public may comment online at the aforementioned blog post or may email ONC directly at ONC.Policy@hhs.gov.